More UNC2452 activity, with some advice on defense. Chimera’s after airlines. President Trump’s final EO addresses IaaS abuse. – The CyberWire

Malwarebytes has disclosed that it was hit by the same “nation state actor implicated in [the] SolarWinds breach.” Note that this isn’t another victim of the SolarWinds compromise—Malwarebytes doesn’t use SolarWinds—but rather another victim of the same actor. “Evidence suggests abuse of privileged access to Microsoft Office 365 and environments,” Malwarebytes said, adding that the Microsoft Security Center alerted the company to the problem. The damage seems to have been confined to “a limited subset of internal company emails,” and there was no evidence found to suggest that on-premises or production environments were compromised.

Those interested in hardening themselves against this sort of activity would do well to consult some advice FireEye’s Mandiant unit published yesterday. They outline protective measures available for use against the threat actor they track as UNC2452.

NCC Group and its FOX-IT subsidiary have found that a Chinese threat actor (CyCraft researchers called the group “Chimera” when they first described it) hitherto known for collecting intellectual property from Taiwan’s semiconductor industry in fact has a much more extensive target list. The targets are now believed to include airlines, specifically the personal they hold. Apparently the group is seeking to collect information about individuals of interest with a view to mounting credential-stuffing and password-spraying attacks against the targets’ organizations.

US President Trump yesterday issued an Executive Order outlining measures to control foreign malicious use of Infrastructure as a Service (IaaS) products. Commerce, Justice, and Homeland Security have the lead.


Leave a Reply